Sandy,
On Jun 27, 2014, at 8:53 PM, Randy Bush <[email protected]> wrote:
[ you omitted the as number in your discussion, but ca needs a so it
knows which AS signs. luckily bgpsec-pki-profiles does have it in the
pkcs#10 subject ]
That's a good point.
Actually, bgpsec-pki-profiles does NOT have it in the PKCS#10 subject.
bgpsec-pki-profiles gives a list of exceptions to the PKCS#10 defined in
RFC6487, but the exceptions do not include the AS number.
I had forgotten (if I ever noted) that the PKCS#10 profile in RFC6487 does not
include the number resources.
So we need to come up with a way to get the AS number to the CA, also.
Thinking about this some more: note that a CA generally needs to have
some way of linking a
cert request to a specific entity, person or thing. In this context, the
router needs to be
known to the CA when the request is made. So, if the router is
registered in a database
accessible to the CA, that database should contain the AS # that the
router is authorized
to represent. Having the router propose an AS# is OK too, but the CA is
authoritative.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
